Secrets not detected in PLSQL package

jnewman · July 17, 2025, 9:09pm

Using Bitbucket Cloud pipeline
PLSQL
Exploring the SonarQube Cloud Free Trial

Have this example statement we use to connect to an LDAP that I’m using to test the secret scanning:

  l_bind := dbms_ldap.simple_bind_s(
      ld     => l_session,
      dn     => 'jnewman',--username
      passwd => 'z9b5M3bX3MERSTP'--dummy password
   );

The scan via the pipeline seems to be working, but is not detecting any secrets:

The file being scanned is a .sql file, and I’ve included it in the list of file patterns:

Anything that I’m missing that would prevent the secret from being picked up by the scanner?

Colin · July 18, 2025, 2:04pm

Hey there.

We’ve had a long-standing (unfortunately private) internal ticket for implementing a Credentials should not be hard-coded rule for PL/SQL.

Because the credentials in question are generic and not linked to a specific provider, our shiny new “secret detection” rules don’t flag these instances as issues. However, I agree that this is an important gap.

I’ve linked your post to the existing ticket to increase its visibility, and I’ll also bring this up with our product managers.

system · July 25, 2025, 2:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PL/SQL files are not scanned SonarQube Server / Community Build plsql , sonarqube	7	3351	March 9, 2021
SonarQube cloud cannot find plantet bug Report False-positive / False-negative... python , sonarqube-cloud	2	44	April 3, 2025
SQLi not detected SonarQube Cloud java , security	2	573	January 5, 2023
Sonar Scanner for PLSQL Static stand alone code SonarQube Server / Community Build	0	306	March 22, 2021
Can we analyse PLSQL in the Sonarqube 7.9.1 community edition SonarQube Server / Community Build plsql , sonarqube	3	2102	November 29, 2019

Secrets not detected in PLSQL package

Related topics